Download eBook (PDF) - Red Gate Software

4 – Encryption Basics for SQL ServerCertificatesA certificate is used in much the same way as an asymmetric key in that itinvolves a public/private key pair. The primary difference is that a certificateprivate key is digitally associated with an individual or device whereas theasymmetric key is not. The industry standard known as the Internet X.509Private Key Infrastructure (PKI) defines the contents and signaturerequirements for a valid certificate, and certificate private key.In SQL Server, a certificate's private key can either be imported from anexternal assembly, or generated within the database. In the latter case, this iscalled a self-signed certificate. The certificate private key that is generatedwithin SQL Server is in compliance with the PKI standard.Listing 4-4 demonstrates the creation of a certificate can be created within adatabase using the CREATE CERTIFICATE command.Use HomeLending;GOCREATE CERTIFICATE MySelfSignedCertENCRYPTION BY PASSWORD = 'MyStr0ngP@ssw0rd2009'WITH SUBJECT = 'Self Signed Certificate',EXPIRY_DATE = '05/31/2010';GOListing 4-4: Creating a certificate in the HomeLending database.Once again, you can query sys.asymmetric_keys to verify the existenceof the certificate in the database in which you attempted to create it.When creating a certificate, you can specify arguments that define its activationdate (START_DATE) and expiration date (EXPIRY_DATE). These propertiescan be used in the management of a certificate's lifecycle. SQL Server does notenforce the activation and expiry dates that are associated with a certificate.Additional logic, or the use of the Extensible Key Management (EKM) featureof SQL Server, must be employed to enforce these dates.Certificates are used to protect other keys within the database as well assensitive data.Symmetric KeyWhen an item is encrypted using a symmetric key it must be decrypted usingthat same key. The service master key, database master keys and database88